AI Agent Safety: Guardrails, Money and Reversibility
An AI agent is safe enough to use when three layers exist. You need a written never-do-alone list (money, publishing, messages, identity), reversibility for everything it touches so that git makes file mistakes fully recoverable, and an inbox where the agent asks instead of acting. None of these relies on the agent "being careful." They are structure, not trust, which is the whole point: safety you can verify beats safety you have to hope for. This page is the reading path that builds all three layers.
People worry about the wrong risk first. The fear is usually that the model will "decide" to do something reckless, but the real exposures are mundane and preventable: an unattended purchase, a premature publish, a message sent under your name, a file overwritten with no way back. Each of those has a structural fix that does not depend on the model's judgment at all, and put together they make the difference between an agent you supervise constantly and one you can leave running.
What should an AI agent never do without asking?
Five categories, and they should live in the contract file the agent reads on startup: spending money, creating accounts or publishing anything public, messaging real people, acting under your name or identity, and stepping outside its allowed set of tools and folders. Everything else it just does; these five it proposes and waits. The mechanism is an inbox file where the agent writes the request with enough context for a yes or no, and the list is not permanent - it shrinks over time as you grant specific, logged permissions the agent has earned. See what an agent should never do without asking for the full breakdown.
Start here: the reading path
Read these in order. The first two set the frame and the never-alone list; the rest cover guardrails, money specifically, reversibility with git, and how to catch the agent inventing facts.
- Is it safe to give an AI agent access to my computer? - yes, under three conditions: git reversibility, guardrails in the contract, and secrets kept out of reach.
- What should an AI agent never do without asking? - the five never-alone categories and the inbox mechanism that turns a ban into a stream of proposals.
- AI agent guardrails: what your agent must never do alone - reversibility, the five defaults, and the propose-park-proceed pattern.
- How to stop an AI agent from spending your money - one contract-file rule, the propose-instead-of-buy mechanism, and why a budget cap fails.
- The checkpoint habit: making AI agent work crash-proof with git - state plus a commit every hour turns disasters into boring, recoverable events. Git for non-programmers included.
- Do AI agents make things up? How a business owner catches it - less than before, not zero, and the three-check habit that catches it: sources, numbers versus the metrics file, and the git diff.
- How to stop your AI agent asking permission for everything - the middle ground without YOLO mode: auto-approve reversible actions, gate the irreversible ones, and add carve-outs as they are earned.
- Can an AI agent delete your files? Make every mistake reversible - why reversibility beats a command blacklist, and the two-rule insurance policy that recovered 14 corrupted files.
- Before you connect an AI agent to your email - what "connect" really grants, and how to give the least access possible, keeping sending behind human approval.
- Can someone hijack your AI agent with an email? - the lethal trifecta explained plainly, and the structural defense that breaks it without a smarter model.
FAQ
Can an AI agent spend my money without permission?
Not if the rule lives in the file the agent reads every session. Spending sits at the top of the never-alone list, so the agent proposes any purchase - a domain, a subscription, an API top-up - in the inbox and waits for an explicit yes, rather than acting. A budget cap alone is the weaker approach, because it authorizes a stream of small buys you never individually approved; the reliable pattern is propose-instead-of-buy, where nothing is spent until you say so in writing.
Can I undo an AI agent's mistakes?
For anything kept in files under git, yes, completely. Every checkpoint is a commit, so a bad edit is one command away from being reverted, and a session that went sideways can be rolled back to the last known-good state. This is why the checkpoint habit matters more than it looks: it is not bureaucracy, it is the mechanism that makes file mistakes 100% recoverable and lets you run the agent without holding your breath. The things that are not trivially reversible - money, messages, publishing - are exactly the things on the never-alone list.
Do written prompts alone make an agent safe?
No, because a rule typed into a single conversation lasts only as long as that conversation. The next session starts blank and never sees it, which is the same amnesia that defeats memory. Safety rules have to live in the contract file the agent reads on startup, so the guardrails survive every session and every restart. A prompt is a suggestion for one chat; a contract file is a standing rule.